Hit Parade: Oracle Faces Yet Another New Java Bug

Oracle faces a newly discovered Java security vulnerability with the finding of a potential coding error that could enable attackers to bypass security restrictions and gain access to a victim's machine.

The security flaw, discovered in all versions of Java SE 7, impacts both client-side and server-side implementations of Java, according to Adam Gowdiak ,a security researcher at Security Explorations, based in Poland. Gowdiak said Monday that Oracle was notified about the discovery and provided with proof-of-concept code exploiting the vulnerability.

"Successful exploitation in a Web browser scenario requires proper user interaction," Gowdiak wrote in his announcement posted to the Full Disclosure mailing list. It can be used to achieve a complete Java security sandbox bypass on a target system."

The working exploit does not bypass click-to-play, requiring users to accept a pop-up security warning in order to run the malicious applet in the browser. Oracle has not yet confirmed the vulnerability.

The vulnerability could have been worse, said Graham Cluley, a senior security consultant at Sophos. Cluley said consumers can choose to remove Java altogether, but enterprise users may have a greater need for the software.

"The fact that even if this vulnerability is exploited by malicious hackers, users are still prompted with a security dialog is better than nothing at all," Cluley wrote in the Sophos Labs blog. "Oracle has been feeling the heat recently, after a spate of malware attacks have exploited holes in its Java product and given the software a reputation for lousy security."

Security firm F-Secure said on Tuesday that it detected ongoing attacks targeting the latest vulnerabilities patched by Oracle in an update issued last week. The attacks emerged a day after the exploits were added to the Metasploit penetration tool. The Metasploit module enables the user to run code outside the Java Sandbox.

Oracle issued a critical Java update repairing 42 vulnerabilities April 17. Oracle said 19 of the flaws are extremely critical, carrying the maximum score in the Common Vulnerability Scoring System.